Thunderclap Vulnerability May Leave Thunderbolt Computer Open for Attacks

A team of researchers has uncovered a new vulnerability in the Thunderbolt data transfer specification called "Thunderclap," which could expose computers to severe attacks from otherwise harmless USB-C or DisplayPort hardware.

As Researcher Theo Markettos explains, Thunderclap uses the privileged Direct Memory Access (DMA) that Thunderbolt accessories get to gain access to the target device. With no adequate safeguards, hackers can use this access to steal data, track files, and execute malicious code.

This type of operating-system-level access is usually granted by accessories such as GPUs or network adapters. Because Thunderbolt was designed to externally replicate these features, the same level of access is required. External configuration, however, makes the system more vulnerable to attacks. Basically, connecting a malicious device to a port is easier than opening a computer and connecting a hacked video card.

Older Thunderbolt devices based on DisplayPort instead of USB-C are theoretically also at risk

not unique to Thunderbolt 3; Theoretically, even older Thunderbolt devices based on DisplayPort instead of USB-C are at risk.

Markettos and his team have discovered the vulnerability in 201

6 and have already released it for manufacturers who have developed fixes: Apple has a fix for a A specific part of the bug in macOS 10.12.4 in the same year and the most recently updated Macs should be protected from attack. Windows 10 version 1803 also protects the firmware level for newer devices from the vulnerability.

This is not the kind of attack that most users are normally exposed to. (Hackers that use specially poisoned USB-C devices to address computers by posing as a fake GPU are usually not displayed to most people.) However, it is a good reminder that you need to stock up on your computer with accessories or Chargers that you wear I can not trust.

And even if Thunderclap does not even hit your device, it shows that even our best standards are not perfect, even for the high-end side of the peripherals industry that Thunderbolt represents.